A week or two back, the Australian Signals Directorate (ASD) replaced their “Top 4 Mitigation Strategies” with a twice-the-fun version called the “Essential 8.”
“Why?” I hear you ask… That’s a good question.
After all, it was a big deal when the Top 4 came out in 2010 (and then updated in 2012 and 2014) as the ASD claimed that it would address 85% of targeted attacks. Their website still says that the Top 4 address 85% of targeted attacks. So, if nothing else has changed, why change the Top 4? There would seem to be a few possible explanations:
- Everyone has finished rolling out the Top 4 and needed the next few laid out for them.
- Attacks have changed, and as a result, the Top 4 no longer address 85% of targeted attacks so we need to change tack.
- The change is tacit recognition that the Top 4, while great controls, provide a heavy burden in terms of implementation (especially application white-listing) so are not a realistic target to implement for most organisations, so the Essential 8 was created to provide a more ‘attainable’ set of controls.
- ASD just felt it needed a refresh to maintain focus and to highlight that the Top 4 aren’t the only controls you need.
The first of those is, sadly, laughable. The second is plausible but not certain. The third is quietly compelling (I mean, we all feel better about 7 out of 8 than we do with 3 out of 4). And the last one is also pretty persuasive.
Enough about the why, let’s talk about the change itself.
What is the Essential 8?
If an organisation or agency was pursuing the Top 4 but have not reached that implementation goal, what should they do now? Switch focus to the Essential 8 or continue with the Top 4?
And perhaps the most important question of them all… where is the video? (here’s a link to Catch, Patch, Match from back in 2010, which is actually pretty good. I mean, it’s no PCI DSS Rock, but each to their own).
Here’s a bit of background for the those who are not so familiar with the Top 4:
- Based on ASD’s experience in responding to Cyber Security incidents, a list of strategies to Mitigate Targeted Cyber Intrusions was first published in 2010.
- In 2011, the ASD found that the Top 4 controls (out of 35), when properly implemented, effectively mitigates 85% of ‘targeted cyber attacks’.
- In 2013, The Attorney-General’s Department updates the Australian Government Protective Security Policy Framework (PSPF) to require Australian government agencies to implement ICT protective security controls to meet ASD’s Top 4 Strategies.
- In Feb 2017, the ASD releases Strategies to mitigate cyber security incidents, Strategies to mitigate cyber security incidents — mitigation details and Essential Eight Explained.
Note the change of name of the main document from ‘strategies to Mitigate Targeted Cyber Intrusions’ to ‘Strategies to mitigate cyber security incidents’
These 3 documents present 37 controls as mitigation strategies against the list of 6 threats that are listed below. The top 4 are unchanged from the previous update, however the Top 4 along with the addition of 4 further controls are now presented as a new Baseline called the Essential 8.
3 documents, 37 controls, 6 threats, Top 4, Essential 8… Confused yet? This is what Hivint’s Chief Apiarist, Nick Ellsmore had to say about so many numbers flying around these days:
So, what are the changes?
This article isn’t going to present a control-by-control comparison. You’ll find plenty of those. We want to look at the big picture change. In terms of the number of controls, there are now 37 controls and not 35 — a few added, a few combined, a few renamed or modified. Despite the ASD website having a complete list of changes, there will be many a blog post picking it apart. We want to help you figure out what to do about it.
The top 4 mitigations strategies remain the same, and are still mandatory for Australian Federal Government agencies.
Previously all 35 strategies were described as strategies to mitigate one key threat, targeted cyber attacks. The ASD also claimed that when the Top 4 were properly implemented, it effectively mitigated 85% of targeted cyber attacks. One key change in the new release is that now the threat landscape is defined in a broader sense which includes the following 6 threats:
- Targeted cyber attacks
- Ransomware and other external adversaries
- Malicious insiders who steal data
- Malicious insiders who destroy data and prevent computers/networks from functioning
- Business email compromise
- Threats to industrial control systems
Four additional controls, along with the Top 4, form the Essential 8. This is presented as a ‘Baseline’ for all organisations. At first glance, the Essential 8 feels like a natural extension that organisations can adopt into their security strategy without much of a hassle. Realistically though, it’s a bit more complicated than that.
When it came out in 2010, the ‘Strategies to Mitigate Targeted Cyber Intrusions’ was considered quite unique, since it confidently declared that by doing the Top 4, organisations will mitigate against 85% of ‘targeted cyber attacks’. In hindsight, the full list of 35 was probably too long for most organisations to digest, and few ever looked past the attractiveness of only having four things to do. That said, most organisations would have at least some of the 31 other controls implemented through their standard Business as Usual (BAU) operations (e.g. email/web content filtering, user education) whether or not they set out with the list in hand.
It is worth noting here that we have seen very few organisations genuinely deploy the Top 4 comprehensively.
It is also worth noting that for many organisations trying to climb the ladder of resilience, “targeted threats” seem a long way away, and managing the risk of non-targeted scattergun malware attacks, naïve but well-meaning users, and the Windows XP fleet, is more like today’s problem.
And at the other end, looking at genuinely nation-state-targeted-Government-institutions, it seems unlikely that a Top 4 would remain current for 7 or more years given the changing nature of threats. Stuxnet, Ed Snowden and the Mirai botnet are a few extreme examples but nevertheless game changing events that could affect how the importance of a control (mitigation strategy, in the context of this document) is rated, especially when the primary audience are Government Institutions.
But given the challenges in planning, funding, and rolling out a Top 4 mitigation program, one has to appreciate the consistency — it would be a nightmare to try to address a dynamic list of priorities within Government agencies with turning circles like oil tankers.
The Essential 8 can be seen as a good compromise where organisations who are working towards the Top 4 (or have it in place already) can incorporate the additional 4 controls without disrupting the status quo, while the list appears to stay relevant to the changes in Cyber. Seems like a pretty good approach.
The overall list of 37 mitigation strategies are categorised under 5 headings:
- Mitigation strategies to prevent malware delivery and execution
- Mitigation strategies to limit the extent of cyber security incidents
- Mitigation strategies to detect cyber security incidents and respond
- Mitigation strategies to recover data and system availability
- Mitigation strategy specific to preventing malicious insiders
Strategies to mitigate cyber security incidents — mitigation details contains detailed implementation guidance for each of the 37 strategies, grouped under the above 5 headings.
Clearly this article was not written for cybersecurity gurus like you. It’s for all those people who haven’t yet deployed their holistic, risk-based, defence-in-depth inspired, ASD-Top-35-addressing security program in totality.
Okay, in all seriousness, if your security strategy is risk based and is aligned with where the organisation is heading, this change shouldn’t bother you too much. ASD too acknowledges that in some instances, the risk or business impact of implementing the Top 4 might outweigh the benefits.
Hence, the best bet continues to be a risk based approach to security which is informed by the Top 4 (or the Essential 8, or ISM, or ISO or whatever your flavour happens to be) rather than attempting to blindly comply to a checklist.
And sadly, there is no video this time.
Article by Adrian Don Peter, Senior Security Advisor, Hivint